Re: [pakgrid] Re: PKI in Pakistan

 

Dear Sajjad,

I do agree that Pakistan should have its own self-reliant PKI, in fact it should have several PKI infrastructures who compete with each other and are regulated by one independent body (and registration authorities should be segregated from certification authorities which is not the case right now), especially ever more so important now that many corporations and individuals in Pakistan are using "cloud" services i.e. local clouds as well as clouds outside the country, for which cryptography is paramount to prevent data compromise.

You seem to have taken some offense at hard facts - whereas reliance on a non-Pakistani company (Verisign/Symantec) has its pros and cons (for example outright compromise of data by foreigners is not possible with the root key without local collusion in the end-customer's organization); it should not be made an excuse for not upgrading controls at other infrastructures. 

NCP must be good enough for education/research (and of course it is low cost vs. commercial by excluding HSM's and some other controls) but I wanted to make readers on this yahoo group aware that they should be cautious before using it for financial transactions, as you have yourself stated that OCSP etc. services and some other controls are not in place. Education/research data is still considered low risk; please do let us know if any of the hundreds of entities using NCP is using it to conduct financial transactions in bank accounts.

I do recognize, applaud and am proud of the efforts at NCP (of which you appear to be a key player) because it is local and home-grown, and I am a proponent of Pakistani self-reliance and self-capability, just wanted to point out for the benefit of the wider audience on this yahoo group since people are not aware; just having physical controls is not good enough for critical financial transactions. What if a customer loses their keys and did not back-up their keys (very common in financial institutions) - how will they decrypt without escrow? What if you have insider compromise (e.g. wikileaks)? What if you have an earthquake (e.g. Japan)? 

If you still believe NCP is good enough for financial transactions, I would like to try it out and then spread the word to others so that we can stop relying on parties relying on foreign commercial companies (and save foreign exchange payments as well). Please send me an email at kamran.meer@gmail.com with your cell number so that we may establish contact as I would really like to try the NCP PKI services for my own transactions, thus evaluate the NCP PKI service.

Regards,

Kamran

On Mon, Jan 30, 2012 at 3:48 AM, Sajjad asghar <sa4_79@yahoo.com> wrote:

 

Dear Kamran,

First of all PK-GRID-CA is an offline CA, which mean it is totally secure as none of its critical components are attached with any network, this is one way of establishing a CA the other one is having an online CA for which you required an HSM (FIPs level three atleast) which is really expensive. OCSP is something that is required to ensure the availability of up to date information about revocation and it could be setup easily. NCP is using CRL for revoked certificate and it is supported by the LCG project, as NCP is part of this project. I am surprise to see your comment "no root key protection under-writings" in the case of off-line CA root key is protected by not connecting the signing machine to any network and its the physical security that becomes important and it is covered in the CP/CPS. Furthermore PK-GRID-CA is member of IGTF and there are hundreds of CAs that are part IGTF they are running with same kind of CP/CPS as these CP/CPS are written according to RFC 3820 none of the members of IGTF has raise any concern about the security of system. There is a due process in IGTF to get accreditation as CA; a committee accredited PK-GRID-CA after reviewing its CP/CPS. Now NCP is running this CA for almost 8 years and not a single problem related to security has been reported. 

 

The current accreditation of PK-GRID-CA is from IGTF that's why they are issuing certificate to research community for other purposes a new CP/CPS document is required. If there is a community that required digital certificate other than research purposes they can come under the new CP/CPS. In this case certificates are going to be much cheaper than NIFT and more people will be able to afford the digital certificate.

 

In my opinion we need a national CA for this purpose and not some forging company having a potential access to our critical financial and government data (VeriSign in this case is that company).

Br

Sajjad

---

From: Kamran Meer <kamran.meer@gmail.com>
To: pakgrid@yahoogroups.com
Sent: Friday, January 27, 2012 3:14:26 PM
Subject: Re: [pakgrid] Re: PKI in Pakistan

 

Thanks to Sajjad for bringing this to our knowledge, however if you read the CPS of this PKI established at QAU-NCP Islamabad, many of the controls have "No Stipulation", they have no key escrow arrangement, no up-time guarantees, no BCP guarantees, no OCSP and no root key protection under-writings.

The CPS also adds the disclaimer: "The PK-Grid-CA will issue certificates to entities, which are based and/or having offices in Pakistan, and are intended for cross-organizational sharing of resources. The focus of these organizations should also be in research and/or education."

In conclusion, this PKI is a great initiative taken long before NIFT but it does not compare to the features of NIFT which carries far less risk and root key protection is under-written by VeriSign PKI (now owned by Symantec). Users (even if they belong to research or education organizations) should use the services of the QAU-NCP PKI CA with full knowledge of the prevalent risks, as I have identified above.

Regards,

Kamran Meer

On Thu, Jan 26, 2012 at 11:10 PM, Sajjad asghar <sa4_79@yahoo.com> wrote:

 

Natioanl center for physics has a PKI setup with the name  of Pk-GRID CA ,it was established in 2004 long before NIFT.  Here is website of the  PK-Grid CA

http://www.ncp.edu.pk/pk-grid-ca/.

Best Regards

Sajjad Asghar

---

From: Javed Naushahi <jnaushahi@yahoo.com>
To: "pakgrid@yahoogroups.com" <pakgrid@yahoogroups.com>; "ammar@brain.net.pk" <ammar@brain.net.pk>
Sent: Wednesday, January 25, 2012 2:51:24 AM
Subject: [pakgrid] Re: PKI in Pakistan

 

Dear Jafferi saheb,

 

Do we have moe PKIs / CAs operating in the country in Education or Govt. sector?, other than e-NIFT.

 

Is there any plan to launch low cost PKI, with decades of experience under your belt in e-security.

 

Regards,

 

Javed Naushahi

 

From: "ammar@brain.net.pk" <ammar@brain.net.pk>
To: pakgrid@yahoogroups.com
Sent: Thursday, January 19, 2012 8:46 AM
Subject: Re: [pakgrid] URDU Content on Web

 

Dear Rauf Sb,

This is totally not-for-profit activity and not funded by any
organization. ( For E-Village Project ). All information is public and can
be shared with anyone interseted to get it.

Information provided by few friends has been of great help but as you all
know this is a big job and I would request all those who can help may
provide the required information.

Regards,

Ammar Jaffri

__._,_.___

Reply to sender | Reply to group | Reply via web post | Start a New Topic

Messages in this topic (18)

Recent Activity:

• New Members 10

Visit Your Group

Switch to: Text-Only, Daily Digest • Unsubscribe • Terms of Use

.

__,_._,___